How does IEC 62304 relate to medical device software development?

IEC 62304 is the international standard detailing life cycle requirements for medical device software, which is crucial for FDA clearance. This standard mandates a structured approach to software development, emphasizing risk management and defect prevention. Adhering to IEC 62304 from the project's inception ensures the software is safe and effective, streamlining the regulatory approval process.

Why is ISO 13485 certification important for medtech companies?

ISO 13485 is the international standard for quality management systems specific to medical devices. This certification demonstrates a company's commitment to quality and regulatory compliance, and is often required for market access internationally. Implementing the ISO 13485 framework helps ensure products consistently meet customer and regulatory requirements, such as those included in the eSTAR premarket submission.

When should cybersecurity be integrated into medical device development?

Cybersecurity must be integrated into the medical device development process from its earliest stages, rather than being treated as an afterthought. This 'Security by Design' approach aligns with the FDA's guidance, recognizing that early integration through a Threat Model during design is more cost-effective. Addressing security proactively results in a more resilient device and reduces the burden of remediation later.

What common mistakes do medtech startups make regarding cybersecurity?

A common mistake medtech startups make is failing to integrate cybersecurity early in the device development lifecycle. This oversight creates vulnerabilities that are significantly more expensive and difficult to remediate post-market. The FDA's Section 524B, which mandates premarket cybersecurity submissions, underscores the importance of continuous cybersecurity efforts, beginning with a robust Software Bill of Materials (SBOM).

Podcast Ep 57: From Idea to FDA Clearance: What Nobody…

By Christian Espinosa, MBA, CISSP

Founder & CEO · Blue Goat Cyber

Reviewed by Trevor Slattery

COO · Blue Goat Cyber

Last reviewed: May 1, 2026

Listen now

Episode breakdown

Key takeaways

Medtech founders often build products without a clear market need or that add complexity for physicians, hindering adoption.
Adhering to IEC 62304 is crucial when selecting a software development partner for medical devices, ensuring proper software lifecycle processes.
ISO 13485 certification for software development firms like Prolucid Technologies enhances investor confidence due to established quality management systems.
Integrating quality systems and cybersecurity from the initial design phase, rather than adding them as an afterthought, is critical for medical device development.
Cybersecurity measures, including penetration testing, must be incorporated throughout the development process to address vulnerabilities early.
The Canadian medtech ecosystem, particularly in Toronto, is a significant hub for medical device innovation and development.

Building medical device software is hard. Building it the right way is harder. And getting it through FDA approval while managing cybersecurity requirements? That's what Darcy Bachert has been doing for 17 years.

Darcy runs Prolucid Technologies, an ISO 13485-certified software development firm in Toronto. They work with MedTech companies across North America, Europe, and Australia.

And in that time, he's seen the same mistakes repeatedly.

The biggest one? Founders build products that solve problems nobody has. Or they build something physicians won't adopt because it adds complexity instead of making their lives easier.

In this conversation, Darcy talks about IEC 62304 and why it matters when choosing a software partner. The Canadian MedTech ecosystem and why Toronto is a major hub. And why quality systems and cybersecurity need to be built in from day one, not added at the end.

This episode is practical if you're building a medical device or working with MedTech startups.

Frequently asked questions

Bring this work to your device

Need help with threat modeling?

Blue Goat Cyber delivers medical device threat modeling for medical device manufacturers - from threat modeling to FDA-ready reports.

Medical Device Threat Modeling

From Idea to FDA Clearance: What Nobody Tells MedTech Founders with Darcy Bachert

Episode breakdown

Key takeaways

Read the conversation

Frequently asked questions

Need help with threat modeling?

Early Design Decisions that Shape Medical Device Success with Chris Danek, CEO of Bessel

What Happens When AI in Medical Devices Make Mistakes?

The Human Factor in MedTech Design with Dylan Horvath

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

Get FDA cleared without the cybersecurity headaches.

From Idea to FDA Clearance: What Nobody Tells MedTech Founders with Darcy Bachert

Episode breakdown

Key takeaways

Read the conversation

Frequently asked questions

Need help with threat modeling?

Keep listening

Early Design Decisions that Shape Medical Device Success with Chris Danek, CEO of Bessel

What Happens When AI in Medical Devices Make Mistakes?

The Human Factor in MedTech Design with Dylan Horvath

Science Before Hype in MedTech Investing with Varun Turlapati of Chaanakya Capital

Get FDA cleared without the cybersecurity headaches.